 Live from Las Vegas, Nevada, it's theCUBE, covering Accelerate 2017, brought to you by Fortinet. Now, here are your hosts, Lisa Martin and Peter Burris. Welcome back to theCUBE. We are live in Las Vegas at Fortinet's Accelerate 2017 event, really exciting, buzzy day that I have had with my co-host Peter Burris. I'm Lisa Martin. We're very excited to be joined by ZsCaravalla Nex of ZK Research. Welcome to theCUBE. Thanks Lisa. We're happy to have you here. It's great to be here. And we, as I've mentioned, Peter and I have been talking with a lot of great folks all day from Fortinet, from Technology Alliance Partners. The buzz is here, obviously the security as an industry, the market, there's tremendous change going on there. Breaches are happening daily from big brands that we're all very aware of as consumers to the small mom and pop. So, Zs, you founded ZK Research. You said a little over five years ago. That's correct. But you've been in the industry as an analyst for quite a long time and you actually were in IT as well. Yeah, I was. I was. I played a number of different roles. I started off as an engineer. I held a role as a CIO for a while. I worked for a VAR. And then I got tired of doing that and I became an industry analyst and I've been doing that about 15 years now. Excellent. So, one of the things that we'd love to ask you about is during the keynote this morning, the CEO of Fortinet, Kenzie, talked about this big impact that hyperconnectivity is having in general, right? This proliferation of mobile devices, of IoT devices that are really causing a lot of challenges for security, but also talked about that there will be tremendous growth in the security market. What's your take on where the security market is going? Yeah, I really like Ken's keynote. In fact, Ken typically delivers very technical keynotes and that's worked well for him because customers tend to love him. And this one was a little higher level and I really like that. And Ken's right, we are moving into a world where everything is connected. It literally everything, our cars, our pets, the things we wear, the things in our home, everything in our business. And that has some profound implications for business. First of all, security's becoming an asymmetric problem for security professionals. What I mean by that is it used to be that you had one way into the network and you had to protect it. And the bad guys had to come through that way. Now, security professionals have to protect tens, hundreds, thousands of new entry points created from all these connections to the cloud to IoT devices, but the bad guys still only have to find one way in. And once they're in, we assume that environment is secure and they can meander around and the bad guys can figure out what to steal. And so I think one of the points that was underscored in Ken's keynote is the fact that security is changing. It's evolving from something that was focused at the perimeter to something that needs to be focused more internal. In fact, my research shows that 90% of security spend is still focused at the perimeter and only 20% of the breaches occur there. So you can see customers are misaligned with how they're spending their money. And I thought a lot of the messages from Ken's keynote were, I think, well received by the audience because it's something they need to hear. Yeah, he talked about the security evolution which I also thought was quite interesting. I saw a graphic the other day that showed by decades a security evolution. You talked about perimeter in the 1990s. It was focused on perimeter, obviously still important but not the only thing you talked about. There's a lot of ways in now. Then going on to web 2.0, web security, then cloud security in the 2010s. And now getting to this, what Ken described as the third generation of fabric needing automation, needing resilience. And as you talked about kind of internal. So I thought that was a really interesting way of looking at that. But also, very interesting that you're seeing almost that 80-20 rule with your clients. How are you helping them to sort of switch that from a spend and really show, even in some ways, maybe how the technology that they would employ from a security perspective can actually bring revenue opportunities? Yeah, I think they have to rely more on the technology and automation. Typically, security's been deployed box by box, device by device at specific points in the network using manual processes. And frankly, that's kind of slow, right? And security already has a bit of a bad rap that it slows the business down. Users tend to turn things off in their computers because it slows them down. And in this digital era, and I was glad Ken talked about digital transformation because in the digital era, the new currency of business is speed. Companies need to move with unprecedented speed. Those that can do that will be able to sustain market leadership and those that can't will fall behind. And frankly, over the last five years, we've seen a bunch of big name vendors, brands that we all knew go away, right? Because they couldn't keep up. Now, when you think about what companies are trying to do, in order to be a digital enterprise, you need to be agile. But you're only as agile as your least agile IT component. And today that's the network. So if I've got this fully automated IT stack and I've got containers popping up and new applications being deployed and I'm accessing things from the cloud, but my engineers have to run around security appliances and deploy them, all that does is slow the business down. And so I think the concept of the security fabric is to ensure that you have the right services in the right places that you can turn on. And now security becomes a business enabler and not an inhibitor. So in some ways we're flipping the model around where security, like I said, has been viewed as something that's held the company back, but it's now something that can allow us to differentiate ourselves because we'll have the trust from the customers that we have the right security in the right places. I want to follow up on your point, you made about the 90% of the investment at the perimeter and 20%. There might be another way of thinking about it. I want to test this with you. Is that it takes, that 90% of security investment is what it takes to ensure that no more than 20% of the attacks occur at the perimeter. So does that mean that we need to reallocate that 100% of resources where that 100% is going to grow 3x because it's still going to require that 90% to keep the perimeter secure? Yeah, I think it's a bit of both, but I do think we'll see the spend the security go up because we have to secure more things. Like if you look at some of the big breaches that we've seen, in fact, almost all of them occurred from inside the network. So bad guys are smart, right? The hackers are, clearly they're some of those brilliant minds out there. That's why they're able to do what they do. And they know that the perimeter security today is so well built that the amount of effort it takes to break through it is very, very high. So you're right, that amount of spend is required to keep all that, those threats out. But it's not the only answer. It's not the only answer. And we need a, so we're going to need to continue to invest in endpoint and perimeter, but as you were saying, we also have to invest in data and have a balanced approach to the whole thing, which leads us to this notion of fabric. Yeah, and I think the automation capability is the fabric are, it can really help offset, like I don't want people watching this to think, oh my God, my security budget's going to be like triple what I had. Because frankly, the people costs associated with security from my research are almost about 60% of the cost. I mean, the equipment itself isn't all that much, right? So if I can invest more in the right technology and I can automate a lot of the things I can do today, now I can reallocate those people costs somewhere else. So in fact, I may wind up spending the same amount from an overall perspective or maybe a little bit less, but it'll be far more secure because I have the right technology in the right places. So where are those people going to go? You know, in this, I hear all the time, and I think this is one thing to tell automation back from IT people that they're scared to death of automation because they think their jobs are at stake. But if you look all the way back to the mainframe, we've always had this transition, right? Where we did things and the new technology came in and new skills are needed to do new things. And I think if you look at IT today, there's a crime need for data scientists, for analytic skills. I mean, security itself is less about point products and more about data gathering and data analytics. And there's very few of those professionals out there. So if I'm a professional, a security professional today, I want to automate those traditional tasks because I need to invest in myself to make sure that my skill set is current today and also a decade from now. And I think a lot of that's going to come from the data in the area of data sciences. Yeah, and a lot of those, as you said, a lot of those skills in doing the models of security and this fabric notion are transferable to other domains. Oh, absolutely. So if you don't want to stay a security professional, but most security people like security, that's why they're doing it. And, but I do think there will always be need for skills in the next thing. The key for the security professionals don't get stuck in the old world. You know, embrace this new world, embrace automation because it's going to free up their time to do things that are more strategic to the company, which is going to allow them to be more valuable as well. You touched on the fabric term a minute ago, and that's one of the things that Gordon announced last year was the security fabric approach. Can you talk to us about fabric versus platform? What are your thoughts there? And what are they, how are they different? Yeah, I think, first of all, the fabric and platform are both roughly trying to solve the same problem that too many vendors doesn't make you more secure. The fact by research shows that on average, companies have 32 vendors, security, different security vendors, which you can't build any kind of strategy around that. So the concept of either a fabric or a platform is that I can reduce the number of vendors, I can simplify my architecture, and I can get more intelligence across that and the entirety of the platform of the fabric. Now the difference though is I think the fabric, think of what a fabric is. It's a big cloth where any point is connected to any point. And so the security intelligence is spread across that fabric and I can drop new components in or take them out and things will continue to work. So it allows me that if I put a new IoT device in, I can push security capabilities there. If I start using a new cloud service, I can push security capabilities there. A platform to me is more dependent on a centralized point of control and I can attach things to that point of control, but if I take that point of control out, now none of the things work. And so I think that the fabric almost democratizes security capabilities across the infrastructure because it's more dynamic and more distributed and we're clearly living in a world where dynamism and distribution are the norm, right? And so the security architecture needs to follow that. Paradoxically, doesn't that centralize security platform then become the biggest security risk in the company? Yeah, well if you breach that then you can get anywhere. Right, right, and so I think the security fabric is the right way to think about it. It's not, you're not trying to beef up one particular area. You're trying to make a set of security services available across your entire infrastructure. Is that kind of the key advice that you give to your clients that are looking for it? This now requires a new approach, new architecture. Is that kind of the key advice that you offer to them? Yeah, well that's the biggest conversation I have with security professionals today is they don't really know where to go from here. They've invested all this money and all these tools and the environment's gotten increasingly more complicated, right? So they're falling behind, it's very, very slow and it's not working, right? The average number of days to find a breach is 100 days. Think of what can happen in 100 days, right? That's over a quarter and so there's a great desire to be able to find breaches faster but also first simplify the architecture and that's always my advice is you can't move forward until you take a step back and simplify, right? And the concepts I think of the fabric are really aligned with that. It's simplification, automation and it removes a tremendous amount of the human burden from security operations which, you know, frankly I think is holding things back. What are some of the things that you're most excited about? You were in the keynote this morning, we chatted about that. We talked about some of the things that were discussed there with the evolution of security that the third generation. You mentioned speed as currency and actually kind of jogged my memory about something that you were talking about with respect to data and also that was brought up this morning as the data value, if it's not valuable to a business, you know, that business has. Well, one of the things we talked about this morning specifically was that security used to be the department of no, as you said earlier and companies that can collapse the time between an idea and execution in a world where at least in the digital world where digital security is so essential are going to provide an enormous net new set of value propositions to their customers and I'm sure you've seen that. Yeah, well, no doesn't work anymore because of shadow IT. If you say no to a line of business they're just going to go find a different way to do it and that can have incredibly risky because now IT has no control. In fact, some of the interesting data points from my research is that 50% of companies don't know what devices are attached to their network and I think 96% of companies have IT services that have been procured not through IT directly by the line of business. So it's become the norm and I think if you look across the entirety of the world today from business processes through IT strategy, data and analytics has become the key differentiator to be able to take the data, analyze it and then be able to create some new insights. Now from a line of business perspective they're trying to understand the way you like to shop you know the sports teams you like the things you like to buy and push more relevant content to you. From a security perspective it's being able to find those breaches faster, right? And then being able to cut that number down from a hundred days to frankly we have to get to minutes and I thought some of the more exciting things they showed me keynote were the ability to take the data and then show it visually because I've always said you can't secure what you can't see, right? And if you're blind to what's going on in the network you'll never, ever, ever be able to truly secure it. And so I think we're Fortinet's entering an era now where they're actually harnessing the power of all the data they have but they're focused more on the UI you know the new FortiOS 5.6 A big part of that is the new user interface to be able to display the data in a way that's understandable by the people using the tools. Excellent, that's a great point that you can't secure what you can't see. You cannot secure what you can't see. Well Derek was, Derek Mankey was actually talking earlier who's the global security strategist here at Fortinet. I'm sure you know Derek. Was actually talking about one of the things he's excited about and I want to get your take on this point is that he thinks 2017 may be the year that the White Hats get the upper hand. Well hopefully, yeah I do think- Because of this notion of automation and- Yeah, you know I talked about the asymmetric problem security where the bad guys need to find one way in. I think data and visualization can reverse that because once they're in the network they need to stay, the bad guys need to stay hidden and the good guys, right, the internal security department only needs to find one instance of anomalous traffic or something that could indicate a breach to be able to start the process of remediation. And so you're right, I think in some ways well, maybe a little, maybe next year. Hopefully this year the White Hats start to, they'll at least gain ground this year and I think we'll start to see that a symmetry problem flipped. Precisely because you only need one instance of a bad action. Correct, correct. And a lot of these bad actions come from users specifically being targeted and sometimes security, no matter how much training they do, users don't know. You get an email from somebody, they click on it, somebody sends you a file. I've talked to HR people that have gotten resume's email to them that have viruses in them and they don't know, right? And so, but once that action starts the data and visualization tools can help identify those very, very quickly. And the important part about that is the faster you find it, the smaller the blast radius. So if I find it in five seconds, of course that I'm only, maybe only that HR person's computer's affected. But if it takes me a hundred days, now the whole department or maybe a whole building's been impacted. So, you know, containing that blast radius I think is something that security professionals need to focus on. As a blast radius, typically a function of time or is it also a function of proximity to other business activities? I think it's primarily a function of time and I think it's exponential, right? So the longer the time goes, exponentially greater the damage. Well gentlemen, tremendous conversation. There's a tremendous amount of opportunity I think is what we've heard today. Thank you very much, Zeus for sharing your insight, your research with us. Let's hope that 2017 is the year the White Hats hit the upper hand. Yeah, I think it's a really exciting time for security professionals. I think the first time in a long time they have the opportunity to fight back in a battle that they've been losing round in for really the better part of a decade. Well Zeus, thank you so much for joining us. And on behalf of my colleague Peter Burris, thank you for watching. Stay tuned, we'll be right back to wrap up the day.